Privacy & Data Policy
Personal data regulations regarding the relationship between the customer as the Data Controller and Parcel4you as the Data Processor.
Version 1.0. is effective from May 25, 2018
Personal data regulations, which apply to service agreement entered into with Parcel4you.
1. Personal data protection regulations
The relationship between the customer as the Data Controller and Parcel4you Group companies (further referred to as Parcel4you) as the Data Processor.
1.1 The agreement that the customers have with Parcel4you concerns parcel delivery solution services for their customers and as a natural part of this, Parcel4you processes various personal data on the customer’s behalf. This concerns data about the customer’s customers, i.e. data relating to the persons who are the recipients of the consignments.
This section 1 concerns the relationship between the Data Controller (customer) and the Data Processor (Parcel4you), in connection with the personal data regulations.
1.2 Processed personal data.
1.2.1. The Data Processor, as part of the service, has access, on behalf of the Data Controller, to process:
Name, address, e-mail and phone number of the persons receiving the consignments.
In some cases, also, the information about the individual type of item sent and the value/price of the item.
1.3. The purpose and scope of the personal data processing.
1.3.1. As a natural part of the Data Processor’s status as the provider of parcel delivery solutions for handling the Data Controller’s delivery processes, the Data Processor stores/intermediates, and forwards information to relevant third parties (sub-processors) in the form of shipping companies that the Data Processor engages to perform the parcel deliveries for Data Controller, and possibly customs authorities (if the consignments are cross-border).
1.3.2. The purpose of the personal data processing is to manage the Data Controller’s parcel delivery processes.
1.3.3. It is emphasised that the Data Processor may only process personal data to the extent necessary for the fulfilment of the Data Controller’s delivery service with the Data Processor and its sub-processors, and/or if the Data Processor is required by law to process the data otherwise.
1.3.4. (Unless specified otherwise) It is emphasized that the shipping companies to which personal data is disclosed as part of this agreement are directly forwarded by the Data Controller to the Data Processor’s (Parcel4you’s) sub-processors. – Parcel4you P/S has only an intermediary function in this regard.
1.4. The Data Processor’s obligations
1.4.1. The Data Processor may only process the personal data in question in accordance with the instructions of the Data Controller, i.e. the instructions contained in the mutual shipping / service agreement, under which the Data Processor shall manage parcel delivery processes for the Data Controller.
1.4.2. The Data Processor is required to comply with the currently-applicable personal data legislation and shall notify the Data Controller immediately if an instruction from the Data Controller is, in the Data Processor’s opinion, contrary to the General Data Protection Regulation or Danish personal data legislation in general.
1.4.3. The Data Processor shall use appropriate technical and organisational security measures to ensure that personal data is not destroyed, lost, degraded or disclosed to unauthorized bodies, misused or otherwise processed in breach of personal data legislation, whereby the Data Processor shall implement the measures necessary pursuant to article 32 of the General Data Protection Regulation.
1.4.4. The Data Processor is obliged to inform the Data Controller without undue delay of any data breach. In this regard, the Data Processor shall inform the Data Controller of:
-The nature of the data breach.
-If possible, the type and number of affected data subjects, as well as the type of personal data concerned and the number of records of personal data concerned.
-The measures that the Data Processor has taken or proposes should be taken to deal with the data breach, including, where appropriate, measures to limit its potential adverse effects.
The probable consequences of the data breach.
9.4.5. The Data Processor shall, at the Data Controller’s request, provide the Data Controller with sufficient information to ensure that the Data Processor has taken the necessary technical and organisational security measures.
1.4.6 The Data Processor shall provide all the information necessary to demonstrate that the Data Processor complies with the General Data Protection Regulation’s article 28, whereby the Data Processor shall allow and contribute to audits, including inspections carried out by the Data Controller or another auditor authorised by the Data Controller. It is emphasised that inspections/audits in every respect take place at the Data Controller’s expense.
1.4.7. The Data Processor shall secure that the persons who are authorised by the Data Processor to process personal data have committed themselves to confidentiality or are bound by an appropriate statutory professional secrecy obligation.
1.4.8. If a data subject asks the Data Processor (usually such requests will be made to the Data Controller) for access to and insight into that person’s personal data, the Data Processor shall immediately forward the request to the Data Controller.
1.4.9. The Data Processor shall assist the Data Controller with appropriate technical and organisational tools to enable the Data Controller to fulfil the Data Controller’s obligations to respond to requests for the exercise of the rights of the data subjects as specified in chapter III of the General Data Protection Regulation.
1.5. Specifically, about the transfer of information to sub-data processors or third parties
1.5.1. As a natural part of the Parcel4you delivery solution, the Data Processor is entitled to disclose personal data to sub-processors (shipping companies), and the Data Processor is also entitled to exchange personal data with the customs authorities.
1.5.2. In all other cases the Data Processor may only disclose or transfer personal data to third parties or sub-processors with the prior agreement with the Data Controller. However, the Data Processor may disclose or transfer personal data without the Data Controller’s instructions, if permitted by law.
1.5.3. If the Data Processor hands over personal data to another data processor (sub-processor), the Data Processor is obliged to conclude a sub-processor agreement with the sub-processor, whereby the Data Processor’s sub-processor is subject to at least the same conditions as stated in this section 1.
1.5.4. The Data Controller approves the Data Processor to extend the circle of sub-processors and/or to replace existing sub-processors with others in order to fulfil the terms of the service agreement.
1.5.5. The Data Processor must not transfer personal data to third countries that the EU Commission has not assessed as safe third countries.
1.5.6. If the information is transferred to foreign sub-processors, it must be stated in the data processing agreement, cf. 1.5.3 that sub-processors shall comply with the EU’s General Data Protection Regulation and any other current personal data law in force. Sub-processors in EU countries with specific regulatory requirements regarding data processing must also comply with these requirements.
1.6. Duration of data processing
1.6.1. The processing of personal data pursuant to this agreement continues until such time as the service agreement concluded between the parties ceases.
1.6.2. However, in the event of the termination of the service agreement, the Data Processor is bound by this agreement for as long as the Data Processor has access to personal data originating from the Data Controller.
1.6.3. In the event of termination of a mutual service agreement, the Data Processor is required to delete any backups and other copies of the personal data.
1.6.4. However, as a limitation to the foregoing provisions, it is noted that, pursuant to the Danish Bookkeeping Act for the purposes of documenting the services/consignments covered by the service payments, the Data Processor shall store the relevant personal data for each consignment for up to five years after the consignment year. The personal data shall then be deleted, leaving only the type, value/price of the goods, and the recipient country, while other data (recipient name, postal address, e-mail and phone number) are deleted.
2. Law and jurisdiction
2.1 This agreement is governed by Danish law.
2.2 Any claim and any dispute arising out of or in connection with this agreement shall be sought to be resolved by the parties through negotiation. If the parties cannot reach agreement, the dispute shall be settled in the first instance by the Court in Viborg.